Hiding param of struts.xml values in Struts 2

916 views Asked by At

Is there any way to hide the param values in struts.xml as they are visible on the URL when I pass them from one action to another?

<action name="BackToManagerIndex" class="Action.LoginAction" method="ManagerList">         
    <result type="redirectAction">
        <param name="actionName">login</param>
        <param name="namespace">../Manager</param>
        <param name="User_Id">%{User_Id} </param>
        <param name="Password">%{Password}</param>
    </result>

Here when ever the BackToManagerIndex action is completed I am redirecting it to another action called login which is in namespace manager with 2 properties: User_Id and Password.

Every thing is fine but the values of both the properties are visible on the URL as

http://localhost:8084/MEMS/Manager/login.action?User_Id=abc%40gmail.com&Password=1234

Is there any way to hide these values or the URL can be set to

http://localhost:8084/MEMS/Manager/login.action ?

(I still should get the values at other action)

2

There are 2 answers

0
Roman C On BEST ANSWER

Parameters that are included with the redirectAction result type are reflected in the URL. To remove them from the URL you need to remove them from the result config.

<action name="BackToManagerIndex" class="Action.LoginAction" method="ManagerList">
    <result type="redirectAction">
        <param name="actionName">login</param>
        <param name="namespace">/Manager</param>
    </result>
</action>

Another action after redirecting should take parameters from the session.

0
Andrea Ligios On

You should never carry a password like that, in fact you should not even store it in the session. Not even in the database.

You should instead hash it and store the hash in the database, then when an user enters a password to log in, you hash the password inserted and confront it with the hash on database.

In this way, not even you, the system and database administrator, are aware of the user's passwords.

Then hackers will try to use rainbow tables, dictionaries of hashed passwords, and to prevent that, you will add some salt to the hash.

Read more on:


Password discussion apart, if you want to redirect avoiding the parameters in the url for a user experience reason (and NOT for a security reason), other than putting them in Session you can also

run a script in the landing page that make use of HTML5 History API:

<script>
    // BEFORE:
    // http://localhost:8084/MEMS/Manager/login.action?User_Id=abc%40gmail.com&Password=1234
    window.history.pushState("","",window.location.pathname);
    // LATER:
    // http://localhost:8084/MEMS/Manager/login.action
</script>